Export limit exceeded: 11315 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (11315 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-63207 | 1 Rvr | 23 Tex, Tex1002lcd, Tex1002lcd Firmware and 20 more | 2026-01-15 | 9.8 Critical |
| The R.V.R Elettronica TEX product (firmware TEXL-000400, Web GUI TLAN-000400) is vulnerable to broken access control due to improper authentication checks on the /_Passwd.html endpoint. An attacker can send an unauthenticated POST request to change the Admin, Operator, and User passwords, resulting in complete system compromise. | ||||
| CVE-2025-63224 | 1 Itel | 3 Dab Encoder, Idenc, Idenc Firmware | 2026-01-15 | 10 Critical |
| The Itel DAB Encoder (IDEnc build 25aec8d) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices. | ||||
| CVE-2025-63223 | 1 Axeltechnology | 2 Streamermax Mk Ii, Streamermax Mk Ii Firmware | 2026-01-15 | 9.8 Critical |
| The Axel Technology StreamerMAX MK II devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device. | ||||
| CVE-2026-22594 | 1 Ghost | 1 Ghost | 2026-01-15 | 8.1 High |
| Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0. | ||||
| CVE-2025-48371 | 1 Openfga | 2 Helm Charts, Openfga | 2026-01-15 | 8.8 High |
| OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 (corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12) are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users are affected under four specific conditions: First, calling Check API or ListObjects with an authorization model that has a relationship directly assignable by both type bound public access and userset; second, there are check or list object queries with contextual tuples for the relationship that can be directly assignable by both type bound public access and userset; third, those contextual tuples’s user field is an userset; and finally, type bound public access tuples are not assigned to the relationship. Users should upgrade to version 1.8.13 to receive a patch. The upgrade is backwards compatible. | ||||
| CVE-2025-11192 | 2 Extreme Networks, Extremenetworks | 2 Fabric Engine, Fabric Engine \(voss\) | 2026-01-15 | 8.6 High |
| A vulnerability in Extreme Networks’ Fabric Engine (VOSS) before 9.3 was discovered. When SD-WAN AutoSense is enabled on a port, it may automatically configure fabric connectivity without validating ISIS authentication settings. The SD-WAN AutoSense implementation may be exploited by malicious actors by allowing unauthorized access to network fabric and configuration data. | ||||
| CVE-2026-22605 | 1 Openproject | 1 Openproject | 2026-01-14 | 4.3 Medium |
| OpenProject is an open-source, web-based project management software. OpenProject versions prior to version 16.6.3, allowed users with the View Meetings permission on any project, to access meeting details of meetings that belonged to projects, the user does not have access to. This issue has been patched in version 16.6.3. | ||||
| CVE-2019-0543 | 1 Microsoft | 15 Windows 10 1507, Windows 10 1607, Windows 10 1703 and 12 more | 2026-01-14 | 7.8 High |
| An elevation of privilege vulnerability exists when Windows improperly handles authentication requests, aka "Microsoft Windows Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. | ||||
| CVE-2022-40684 | 1 Fortinet | 3 Fortios, Fortiproxy, Fortiswitchmanager | 2026-01-14 | 9.8 Critical |
| An authentication bypass using an alternate path or channel [CWE-288] in Fortinet FortiOS version 7.2.0 through 7.2.1 and 7.0.0 through 7.0.6, FortiProxy version 7.2.0 and version 7.0.0 through 7.0.6 and FortiSwitchManager version 7.2.0 and 7.0.0 allows an unauthenticated atttacker to perform operations on the administrative interface via specially crafted HTTP or HTTPS requests. | ||||
| CVE-2023-28396 | 1 Intel | 2 Jhl8440, Jhl8440 Firmware | 2026-01-14 | 6.1 Medium |
| Improper access control in firmware for some Intel(R) Thunderbol(TM) Controllers versions before 41 may allow a privileged user to enable denial of service via local access. | ||||
| CVE-2023-31189 | 1 Intel | 54 Openbmc, Xeon Bronze 3408u, Xeon Gold 5403n and 51 more | 2026-01-14 | 5.2 Medium |
| Improper authentication in some Intel(R) Server Product OpenBMC firmware before version egs-1.09 may allow an authenticated user to enable escalation of privilege via local access. | ||||
| CVE-2023-35121 | 1 Intel | 17 Advisor, Cluster Checker, Distribution For Python and 14 more | 2026-01-14 | 7.8 High |
| Improper access control in the Intel(R) oneAPI DPC++/C++ Compiler before version 2022.2.1 for some Intel(R) oneAPI Toolkits before version 2022.3.1 may allow authenticated user to potentially enable escalation of privilege via local access. | ||||
| CVE-2025-69273 | 3 Broadcom, Linux, Microsoft | 3 Dx Netops Spectrum, Linux Kernel, Windows | 2026-01-14 | 7.5 High |
| Improper Authentication vulnerability in Broadcom DX NetOps Spectrum on Windows, Linux allows Authentication Bypass.This issue affects DX NetOps Spectrum: 24.3.10 and earlier. | ||||
| CVE-2023-44248 | 1 Fortinet | 2 Fortiedr, Fortiedrcollectorwindows | 2026-01-14 | 4 Medium |
| An improper access control vulnerability [CWE-284] in FortiEDRCollectorWindows version 5.2.0.4549 and below, 5.0.3.1007 and below, 4.0 all may allow a local attacker to prevent the collector service to start in the next system reboot by tampering with some registry keys of the service. | ||||
| CVE-2025-54822 | 1 Fortinet | 2 Fortios, Fortiproxy | 2026-01-14 | 4.2 Medium |
| An improper authorization vulnerability [CWE-285] vulnerability in Fortinet FortiOS 7.4.0 through 7.4.1, FortiOS 7.2.0 through 7.2.8, FortiOS 7.0.0 through 7.0.11, FortiProxy 7.4.0 through 7.4.8, FortiProxy 7.2 all versions, FortiProxy 7.0 all versions, FortiProxy 2.0 all versions allows an authenticated attacker to access static files of others VDOMs via crafted HTTP or HTTPS requests. | ||||
| CVE-2025-53845 | 1 Fortinet | 1 Fortianalyzer | 2026-01-14 | 6.2 Medium |
| An improper authentication vulnerability [CWE-287] in Fortinet FortiAnalyzer version 7.6.0 through 7.6.3 and before 7.4.6 allows an unauthenticated attacker to obtain information pertaining to the device's health and status, or cause a denial of service via crafted OFTP requests. | ||||
| CVE-2025-59810 | 1 Fortinet | 3 Fortisoar, Fortisoaron-premise, Fortisoarpaas | 2026-01-14 | 6.2 Medium |
| An improper access control vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.2, FortiSOAR PaaS 7.5.0 through 7.5.1, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.2, FortiSOAR on-premise 7.5.0 through 7.5.1, FortiSOAR on-premise 7.4 all versions, FortiSOAR on-premise 7.3 all versions may allow information disclosure to an authenticated attacker via crafted requests | ||||
| CVE-2025-59923 | 1 Fortinet | 1 Fortiauthenticator | 2026-01-14 | 2.6 Low |
| An improper access control vulnerability in Fortinet FortiAuthenticator 6.6.0 through 6.6.6, FortiAuthenticator 6.5 all versions, FortiAuthenticator 6.4 all versions, FortiAuthenticator 6.3 all versions may allow an authenticated attacker with at least read-only admin permission to obtain the credentials of other administrators' messaging services via crafted requests. | ||||
| CVE-2021-33044 | 1 Dahuasecurity | 38 Ipc-hum7xxx, Ipc-hum7xxx Firmware, Ipc-hx3xxx and 35 more | 2026-01-13 | 9.8 Critical |
| The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets. | ||||
| CVE-2021-33045 | 1 Dahuasecurity | 36 Ipc-hum7xxx, Ipc-hum7xxx Firmware, Ipc-hx3xxx and 33 more | 2026-01-13 | 9.8 Critical |
| The identity authentication bypass vulnerability found in some Dahua products during the login process. Attackers can bypass device identity authentication by constructing malicious data packets. | ||||